Treasury Inspector General for Tax Administration

Press Release

TIGTA Releases Report on Security Vulnerability of IRS E-File System

The Treasury Inspector General for Tax Administration (TIGTA) today publicly released its review of the Internal Revenue Service's (IRS) Modernized e-File System, which was deployed with known security vulnerabilities, placing the security and privacy of taxpayer information at risk.

The Modernized e-File System (MeF) will provide a single method for filing all IRS tax returns, information returns, forms, and schedules via the Internet.

TIGTA's audit found that the Me-F project office did not prevent and resolve known security vulnerabilities before deployment of the system. The vulnerabilities are related to system access, monitoring system activities, disaster recovery and protection of sensitive data.

"We believe that the lack of attention to security controls during developmental phases can be traced to other business requirements, filing season pressures, and deployment demands. These concerns have taken precedence over security concerns, and executive-level management was not adequately engaged to ensure that security needs and requirements were being implemented," commented J. Russell George, Inspector General, Treasury Inspector General for Tax Administration.

TIGTA identified some of the same vulnerabilities in prior reports on IRS modernization projects, most recently in a September 2008 report on the Customer Account Data Engine (CADE), and the Account Management Services (AMS) systems. The MeF, CADE and AMS projects are at the heart of the IRS's Business Systems Modernization program.

"The IRS continues to struggle with security vulnerabilities in its modernized systems while at the same time trying to provide effective and efficient service to taxpayers," Inspector General George stated.

"The IRS has established policies and procedures for security and privacy requirements, but did not follow those guidelines during the planning and design phases for the system," Inspector General George noted.

The report also found that IRS officials did not carry out their responsibilities for ensuring the identified weaknesses had been fully addressed prior to deployment.

TIGTA identified some of these vulnerabilities in prior audit reports on the CADE and other modernization projects. To remedy the vulnerabilities identified in the current report, TIGTA recommended several solutions, including that IRS officials consider all security vulnerabilities which affect the overall security of these systems before implementation.

While agreeing with TIGTA's recommendations, the IRS's corrective actions are focused on continuing to follow existing processes or strengthening current processes. As stated in the report, TIGTA believes that the existing security vulnerabilities were not caused by process deficiencies. Instead, IRS offices did not carry out their responsibilities for ensuring that security weaknesses were corrected before deployment.